Establishing international norms in cyberspace.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Joseph Nye: [00:01:42] Well, we have a long way to go, but the glass is not empty.
Dave Bittner: [00:01:47] That's Joseph Nye. He's the former Dean of the Harvard Kennedy School of Government. He served as Chair of the National Intelligence Council and as Assistant Secretary of Defense for International Security Affairs under President Clinton. He currently serves as a Commissioner for the Global Commission on Internet Governance and is the author of over a dozen books, including "Soft Power: The Means to Success in World Politics," and "The Future of Power."
Joseph Nye: [00:02:14] In general, it takes about twenty years - if we look back to the nuclear example - for states to adjust to a new disruptive technology. And we're about twenty years into the cyber era, in the sense of the Internet becoming the substrate for economics, politics, and social interactions. Obviously, the computer age goes back much earlier, and the Internet goes back to the early '70s, but it's only really in the last twenty years that you've seen all of our social and economic systems become dependent upon cyber connections. And that creates - that interdependence creates vulnerability, and vulnerability creates insecurity. And so in that sense, the modern age of cybersecurity really is about twenty years.
Joseph Nye: [00:03:09] And it's interesting, again, to compare this to the nuclear era. It was about twenty years after nuclear weapons were first burst on the scene, so to speak, that you had an agreement between states, which was the Limited Test Ban Treaty in 1962, and the Non-Proliferation Treaty in 1968. So in that sense, even though the technology's totally different, in terms of reacting to a disruptive new technology, we're about where we were in the nuclear era.
Dave Bittner: [00:03:50] Now, in terms of that comparison, it strikes me that one of the differences might be that there's no barrier to entry that there is, for example, in the nuclear club, if you will.
Joseph Nye: [00:04:04] Oh, that's right. And the technologies are totally different. But the interesting question is - sort of the better question, is how long does it take a state's society to begin to cope with the being of a new and disruptive technology. So, cyber is totally different in terms of barriers to entry. Also cyber has many more benign effects. Nuclear was supposed to produce electricity "too cheap to meter." Of course that didn't turn out that way.
Dave Bittner: [00:04:39] Hmm.
Joseph Nye: [00:04:40] Cyber has obviously become a major factor in economic growth and in widespread social benefits. So, while it's created new insecurity, it also has created great benefits. And what - the ratios or proportions are very different from the nuclear technology, the participants are very different. But nonetheless, it takes time for societies to readjust to new technologies.
Dave Bittner: [00:05:10] And then, so, when you look along that timeline, and you note where we are, what do you think we have ahead of us?
Joseph Nye: [00:05:17] Well, I think the immediate point is to begin to consolidate some of the gains that have been made. There is a norm of prudence, of not disrupting the basic structure of the Internet. In other words, if you interfere with Domain Name Systems, you're not going to be able to have communications. And in that sense, we don't have disruption at that level. And I think you could say that there's sort of a norm of coordination there.
Joseph Nye: [00:05:53] In addition, if you look at the report of the United Nations Group of Government Experts in 2015, they laid out some broad norms about not attacking civilian targets, which are a start. Then you have some areas, for example, the Budapest Convention on Cybercrime, where a set of states have agreed on procedures they will take to deal with crimes. So there are areas where there's - where norms exist, and there are obviously large areas where we haven't solved the normative problem.
Dave Bittner: [00:06:35] Now, what about efforts - I'm thinking of, like, the Tallinn Manual - where folks were trying to describe the interaction between, the rules between cyber conflict and kinetic conflict. Is that a good step along the way?
Joseph Nye: [00:06:52] Absolutely. I'm a great admirer of the work Mike Schmitt and others have done on the Tallinn Manual, but it touches an area which was, how does cyber relate to the law of armed conflict? And that's very important. And having states agree that international law - including not only the law of the UN Charter, but the laws of armed conflict - apply in cyber is a very important step.
Dave Bittner: [00:07:25] Right.
Joseph Nye: [00:07:27] There are lots of issues that it does take care of, obviously. So, yeah, big plus, but fills out a little bit more of that glass partly-full.
Dave Bittner: [00:07:39] Now, what about the asymmetry when it comes to cyber conflict? You know, it doesn't take a lot of money for a nation state to spin up powerful cyber capabilities. How is that going to play out on the global stage?
Joseph Nye: [00:07:54] Well, the asymmetry is important. I mean, we tend to think that anybody can - that cyber is a leveler, or an equalizer, and anybody can do the same thing. It depends what you're talking about. If you want a denial-of-service attack or the ability to launch a ransomware attack - lots of actors can get into that. You know, you can buy kits on the dark web for some of this.
Joseph Nye: [00:08:28] On the other hand, if you're trying to produce something which is an elaborate attack, like the Stuxnet attack on centrifuges in Iran, that takes a major investment - not only technical, but also human resources. The world isn't level for that type of sophisticated attack. So, people I think would still say that countries like the US and Russia, China, France, and so forth, have capabilities which are much greater than other states' capabilities. But it is interesting to see Iran and North Korea and others get to play in the game.
Dave Bittner: [00:09:15] Now, we see stories of nation states reaching out and exploring each other's critical infrastructure, power systems. And I think there's a lot of concern about that. What is your take on that, in terms of where that - is there a point where there starts to be serious pushback against those sorts of explorations? I mean, how do we handle that from a diplomatic point of view?
Joseph Nye: [00:09:42] Well, there are press reports that the Russians and the Chinese have entered the American electrical grid. I wouldn't be surprised if that's reciprocal. There is the question of what's called, you know, the general intelligence of preparing for potential escalatory situations. There's also situations where this type of exploration has become an attack, which is what the Russians did with the grid in Ukraine in 2015 and '16.
Joseph Nye: [00:10:25] You'll get situations where, for example, Russian hacking into Ukrainian banking - or tax revenue system, I guess - as part of their hybrid warfare in Eastern Ukraine, led to the vast collateral damage that characterized the NotPetya attack last year. So, those are examples where, things have advanced far beyond the general reconnaissance-type intelligence. And I think that's the area that's particularly worrisome.
Joseph Nye: [00:11:03] On the question of general computer network exploitation, or general intelligence gathering, you shouldn't be too surprised by that. But the kinds of attacks that you've seen in Ukraine, and particularly ones like NotPetya with it's enormous collateral damage - some people have estimated it may have cost the world ten billion dollars - that's something different.
Dave Bittner: [00:11:33] What is an appropriate response to something like that? Even if the damage is unintentional, which it seems as though in that case it may have been, how - what's the proper way for the global community to respond?
Joseph Nye: [00:11:47] Well, I think you need to have deterrence, and that means the capacity to both deter by denial and by retaliation. Denial means the hardening of your systems so that the benefits of attack are less easily obtained, and retaliation means that there's punishment for it. Whether the Ukrainians are able to handle that kind of retaliation, I'm not sure. I think the United States could. And one of the problems I think we saw after the Russian interference in the 2016 American presidential elections was that the Americans did not take strong enough retaliatory action to effectively create deterrence for the future, and only now are we beginning to realize that.
Dave Bittner: [00:12:47] And of course, I suppose the the attitude of the current administration doesn't help that effort.
Joseph Nye: [00:12:55] Well, the problem, in terms of retaliation for the 2016 attack, is it got racked up in domestic politics. The president's concerned that the charges of Russian collusion or interference in the election undermined the legitimacy of his election victory, which of course is electoral college victory, not a popular vote victory. That's made him very sensitive and an unwillingness to take strong actions.
Joseph Nye: [00:13:27] I mean, it is interesting that last month the president did sign an executive order authorizing sanctions, including economic, travel, and other types of sanctions against actors who interfere with elections. We'll have to see how well that's applied.
Dave Bittner: [00:13:50] Now, what about this tendency for some of these nations - I'm thinking of of China, certainly, and to a certain degree Russia - are sort of splintering off their Internet access, limiting what citizens can see and do, what they can search for. How does that all play into this?
Joseph Nye: [00:14:07] The old view of the '90s - the sort of libertarian view of the Internet as above states and transnational led to the so-called Internet Freedom Agenda - I think that's been proven to be mistaken. The Internet is a hybrid affair. The servers, the physical apparatus, relies upon physical presence within sovereign boundaries. And that means when states assert sovereign control, whether by confiscating assets from a company or an Internet service provider, or by blocking up a critic or individual, it's sovereign control is there.
Joseph Nye: [00:14:58] Now, the interesting thing is that China and Russia and other authoritarian states have tried to fence off the political and social aspects of the Internet, but maintain its economic benefits. In other words, the benefits that come from communication. And they've been much more successful at this than people expected.
Dave Bittner: [00:15:27] Now, of course you are very well-known for pioneering the theory of soft power. I was wondering - could you explain that to us, first of all, and then sort of extend it to how you think soft power, and also the notion of smart power, applies to the cyber domain?
Joseph Nye: [00:15:44] Well, soft power is the ability to get what you want through attraction, rather than coercion or payment. And it does affect states' reputations. For example, if a state wants to preserve its reputation to make itself more attractive to others, then it may decide to refrain from certain actions which violate taboos. For example, a state which held biological weapons would be basically undercutting its soft power. The Biological Weapons Convention has very little in the way of verification or enforcement. It really just says states will report violations to the UN Security Council.
Joseph Nye: [00:16:34] On the other hand, the calumny, or the cost to a state's soft power, of being seen to hold or use biological weapons is considerable. And that's one of the reasons - reputational cost, damage to your soft power - why states will sometimes refrain from actions which the cost would be out of proportion to the benefit.
Dave Bittner: [00:17:02] What is the role of the United States in this, in terms of leadership, of helping to establish what will be the norms going forward for cyber security?
Joseph Nye: [00:17:15] Well, the US has had a strong position for quite some time that it's in our interest to try to develop norms in this area. Some people say that, you know, we live in the biggest, glassiest of glass houses. So, if all we do is rely upon the threat of throwing stones, it's a part of a defense, but it's not so [unintelligible]. More that we can develop norms in which people decide that they will not risk their soft power or reputation, the better it will be for us, this asymmetrical interdependence that different states have on cyber.
Joseph Nye: [00:18:03] And so, if you look at - the Russians proposed a treaty, a UN treaty, on cyber - or information technology, as they put it - all the way back in 1998. The US said, this is unverifiable and a bad idea. But in 2004 and 2005, the UN Group of Government Experts on Information Technology was created. And over the next decade, they managed to produce some interesting principles to limit cyber conflict.
Joseph Nye: [00:18:42] And the US took a leading role there. If you look at the steps on the - that were implemented, they - some of the various facts and statements in that speech that Secretary of State Kerry gave in Seoul, Korea, some years ago, and the work of American diplomats at working-level, like Chris Painter and Michele Markoff and others - really were important steps in this larger strategy of saying that it's in American interests to see the development of norms. It's not going to solve all these problems - you need deterrence as well. But it may make some of it a bit easier for us to manage.
Dave Bittner: [00:19:29] Our thanks to Joseph Nye from the Harvard Kennedy School of Government for joining us.
Dave Bittner: [00:19:43] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:19:51] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:19:59] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.